lucene-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler" <...@thetaphi.de>
Subject RE: XSS Issue
Date Tue, 18 Jun 2013 16:53:02 GMT
The issue from the webpage I posted cannot be fixed because it would break all clients out
there, because the REST API is the official API to Solr implemented by millions of clients...
This is what I mean with: Reinvent Solr to fix this.
The issue here is that it allows GET requests to modify the index. But as said before, it
is unfixable unless you want to break all client software outside.

If you want to prevent this, use e.g. ElasticSearch, which has a better, standards conform-designed
REST API (which does not allow GET requests to modify anything).

-----
Uwe Schindler
H.-H.-Meier-Allee 63, D-28213 Bremen
http://www.thetaphi.de
eMail: uwe@thetaphi.de


> -----Original Message-----
> From: gregory draperi [mailto:gregory.draperi@gmail.com]
> Sent: Tuesday, June 18, 2013 6:43 PM
> To: general
> Subject: Re: XSS Issue
> 
> Yes, it works because it exploits a CSRF issue and in my opinion it should also
> be fixed like XSS vulnerabilities in the application.
> 
> I think we don't understand each other.
> 
> I'm going to send details to the private mailing list and I won't waste your
> time more.
> 
> Regards,
> 
> 
> 2013/6/18 Uwe Schindler <uwe@thetaphi.de>
> 
> > Have fun with this web page:
> >
> > http://www.thetaphi.de/nukeyoursolrindex.html
> >
> > It really works, if you have a default Solr instance running on your
> > local machine on default port with default collection, and you open
> > this web page
> > -> this nukes your index. This has nothing to do with the Admin interface.
> >
> > Uwe
> >
> > -----
> > Uwe Schindler
> > H.-H.-Meier-Allee 63, D-28213 Bremen
> > http://www.thetaphi.de
> > eMail: uwe@thetaphi.de
> >
> >
> > > -----Original Message-----
> > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > Sent: Tuesday, June 18, 2013 6:27 PM
> > > To: general
> > > Subject: Re: XSS Issue
> > >
> > > This is a Cross-Site Request Forgery issue (not a XSS) and should be
> > fixed by
> > > example by adding an impredictible parameter to the request.
> > >
> > > I'm going to send to private@lucene.apache.org what I have found.
> > >
> > > Best regards,
> > >
> > > Grégory
> > >
> > > 2013/6/18 Uwe Schindler <uwe@thetaphi.de>
> > >
> > > > Just to show this without the admin interface: Add these two
> > > > images to any web page like this:
> > > >
> > > > <img src="
> > > >
> > > http://localhost:8983/solr/collection1/update?stream.body=%3Cdelete%
> > > 3E %3Cquery%3E*:*%3C/query%3E%3C/delete%3E"
> > > > />
> > > > <img src="
> > > >
> > > http://localhost:8983/solr/collection1/update?stream.body=%3Ccommit/
> > > %3
> > > E"
> > > > />
> > > >
> > > > Anybody who visits this web page would nuke the index of his
> > > > running solr server on the local machine - there is not even the
> > > > admin web interface involved. Any REST API on earth has this
> > > > problem, it is not specific to Solr!
> > > >
> > > > Uwe
> > > >
> > > > -----
> > > > Uwe Schindler
> > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > eMail: uwe@thetaphi.de
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Uwe Schindler [mailto:uwe@thetaphi.de]
> > > > > Sent: Tuesday, June 18, 2013 6:01 PM
> > > > > To: general@lucene.apache.org
> > > > > Cc: 'gregory draperi'
> > > > > Subject: RE: XSS Issue
> > > > >
> > > > > Hi,
> > > > >
> > > > > you can of course send your investigation to
> > > > > private@lucene.apache.org,
> > > > we
> > > > > greatly appreciate this.
> > > > > An XSS problem in the Solr Admin interface can for sure be solved
> > > > somehow,
> > > > > but would not help to make Solr secure. Without the admin interface
> > > > > you
> > > > can
> > > > > still add some image into any web page that executes a "delete whole
> > > > index
> > > > > request" on the Solr server.
> > > > >
> > > > > If you want to prevent this, you can add HTTP basic authentication
> > > > > to
> > > > your
> > > > > web container, as described in the solr wiki.
> > > > >
> > > > > In general: If you have e.g. an EC2 coud of solr servers, add an
> > > > > extra
> > > > security
> > > > > group to your cloud and limit all access from outside. Then also
no
> > > > admin can
> > > > > access this.
> > > > >
> > > > > -----
> > > > > Uwe Schindler
> > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > eMail: uwe@thetaphi.de
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > Sent: Tuesday, June 18, 2013 5:46 PM
> > > > > > To: Uwe Schindler
> > > > > > Cc: general
> > > > > > Subject: Re: XSS Issue
> > > > > >
> > > > > > Yes he can do that but as I said the same problem can occur
without
> > > > > > his consent (and without a click) if he's on an arbitrary website
> > > > > > which hosts a HTML IMG pointing to the vulnerable page of the
solr
> > > > > > administrator interface (like <IMG
> > > > > > src="http://X.X.X.X/solr/admin/xss_vulnerable_page/> )
> > > > > >
> > > > > > I'm thankful for your quick responses despite I don't understand
> > this
> > > > > > philosophy. I note the point.
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Grégory DRAPERI
> > > > > >
> > > > > >
> > > > > > 2013/6/18 Uwe Schindler <uwe@thetaphi.de>
> > > > > >
> > > > > > > He can also delete his whole index with a single click
on a http
> > > > > > > link referring to his Solr server. This is his problem.
Never
> > click
> > > > > > > on links from eMail.
> > > > > > > Solr is, as said already, not secured at all. If you want
a
> > "secure"
> > > > > > > Solr server, rewrite the whole thing. The same applies
to other
> > > > > > > Lucene based products like ElasticSearch that have no "security"
> > > > included.
> > > > > > >
> > > > > > > -----
> > > > > > > Uwe Schindler
> > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen http://www.thetaphi.de
> > > > > > > eMail: uwe@thetaphi.de
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > > Sent: Tuesday, June 18, 2013 5:26 PM
> > > > > > > > To: Uwe Schindler
> > > > > > > > Cc: general
> > > > > > > > Subject: Re: XSS Issue
> > > > > > > >
> > > > > > > > Hi Uwe,
> > > > > > > >
> > > > > > > > Thank you for your quick response.
> > > > > > > >
> > > > > > > > I'm a little bit surprised because XSS is not a problem
of
> > making
> > > > > > > > solr
> > > > > > > accessible
> > > > > > > > or not to Internet because this a reflected XSS. If
an
> > > > administrator
> > > > > > > receives a
> > > > > > > > mail with a malicious link pointing to the solr administrator
> > > > > > > > interface
> > > > > > > and
> > > > > > > > containing a malicious payload he will execute the
JavaScript
> > if he
> > > > > > > clicks on it.
> > > > > > > >
> > > > > > > > There also others techniques that can be used to make
an solr
> > > > > > > administrator
> > > > > > > > executing this link without his consent (HTML IMG
TAG pointing
> > to
> > > > > > > > the
> > > > > > > solr
> > > > > > > > administration interface and hosted on a malicious
website)
> >  and
> > > > > > > > that
> > > > > > > will
> > > > > > > > bypass network based protection.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Grégory DRAPERI
> > > > > > > >
> > > > > > > >
> > > > > > > > 2013/6/18 Uwe Schindler <uwe@thetaphi.de>
> > > > > > > >
> > > > > > > > > Hi Grégory,
> > > > > > > > >
> > > > > > > > > Solr should be always only listen on private
networks, never
> > make
> > > > > > > > > it accessible to the internet. This is officially
> > documented; for
> > > > > > > > > more Information about this, see:
> > > > > > > > > http://wiki.apache.org/solr/SolrSecurity
> > > > > > > > > Solr uses HTTP as its programming API and you
can do
> > everything
> > > > > > > > > Java allows via HTTP, but HTTP does not mean
it must be open
> > to
> > > > > > > > > the internet. By opening a Solr server to the
internet you
> > are
> > > > > > > > > somehow wrapping everything Java allows to the
internet, so
> > it is
> > > > > > > > > not recommeneded. Solr also has no security features
at all;
> > > > > > > > > managing this is all up to the front-end, sitting
on
> > internet or
> > > > insecure
> > > > > > networks.
> > > > > > > > >
> > > > > > > > > There are already some issues open to limit some
XSS and
> > similar
> > > > > > > access:
> > > > > > > > > https://issues.apache.org/jira/browse/SOLR-4882
> > > > > > > > >
> > > > > > > > > Uwe
> > > > > > > > >
> > > > > > > > > -----
> > > > > > > > > Uwe Schindler
> > > > > > > > > H.-H.-Meier-Allee 63, D-28213 Bremen
> http://www.thetaphi.de
> > > > > > > > > eMail: uwe@thetaphi.de
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: gregory draperi [mailto:gregory.draperi@gmail.com]
> > > > > > > > > > Sent: Tuesday, June 18, 2013 3:13 PM
> > > > > > > > > > To: general@lucene.apache.org
> > > > > > > > > > Subject: XSS Issue
> > > > > > > > > >
> > > > > > > > > > Dear Solr project members,
> > > > > > > > > >
> > > > > > > > > > I think I have found a XSS (Cross-Site Scripting)
issue in
> > the
> > > > 3.6.2
> > > > > > > > > version of
> > > > > > > > > > Solr.
> > > > > > > > > >
> > > > > > > > > > How can I give you more details?
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Grégory Draperi
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Grégory Draperi
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Grégory Draperi
> > > >
> > > >
> > >
> > >
> > > --
> > > Grégory Draperi
> >
> >
> 
> 
> --
> Grégory Draperi


Mime
View raw message